Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Updated Twiki Snort Sig - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated Twiki Snort Sig

This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
classtype:web-application-activity; reference:url,secunia.com/\
advisories/16820/; sid:2002366; rev:3;)

Note: This is a single line that has been broken to allow for better formatting in the diary.  The "\" characters at the end of the lines above show where the line breaks have been added.  Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe and all the folks from Bleeding Edge (you guys rock!).

Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!